In that role, he recently instigated a French investigation into Google's planned overhaul of its privacy policies and sternly warned major online advertisers that their proposals for a do-not-track option for its Internet browser wouldn't meet the standards of European law.

All the major browser companies have agreed to install do-not-track switches that allow consumers to easily tell businesses they don't want their activity monitored. But privacy and industry groups continue to wrestle over what that will mean at the World Wide Web Consortium, an Internet standards body.

Kohnstamm visited the Bay Area last week to discuss these and other privacy issues in person with major Silicon Valley businesses. Over the weekend, he sat down with The Chronicle for a conversation about the European view of digital privacy, the ongoing debate over do not track and the status of the European Commission's strict new privacy proposals.

If approved, they would force businesses operating in Europe to inform consumers when, how and why their data is collected. Moreover, the rules would ensure consumers have the "right to be forgotten," enabling them to demand that Facebook, Google and others delete their information.

Kohnstamm was back in the news on Wednesday, saying that European officials are considering reopening their probe into Google's collection of unencrypted personal data through the company's Street View cars. That announcement followed the emergence of documents that suggest the company misled European regulators by insisting the data collection was unintentional and the work of a rogue engineer, he told the New York Times.

Sjoera Nas, an Internet expert with the Dutch Data Protection Authority who worked on its initial Street View investigation, accompanied Kohnstamm during the discussion and weighed in on several points as well.

Q:Even before the proposals in January, European standards have been stricter than U.S. ones when it comes to privacy. What's your view of the way in which the U.S. politicians and regulators have handled this issue?

Kohnstamm: The main difference is, in Europe, because of the Treaty of Lisbon (which went into effect in 2009), data protection is considered a fundamental right. In the United States, it's considered a consumer's right.

That means if a U.S. firm says, I'm going to handle data privacy in a particular way, through a contract between the service provider and client, the only thing that can go wrong is if the service provider doesn't do what he promised.

In Europe, we say, because it's a fundamental right, there are some principles that, whatever the contract is, should be implied.

Q:One of the most controversial rules in the proposals, at least on this side of the Atlantic, is the concept of a "right to be forgotten." It has the potential to grate against U.S. views about the importance of freedom of expression. What's your take on the appropriate balance?

Kohnstamm: There's one basic principle that is behind the right to be forgotten: One of the most important things for human beings is that they have the right to grow older, to change their habits, to evolve and develop in different ways.

The Internet makes it nearly impossible to choose other ways to live, without being confronted all the time with the previous ways you thought about things. So, fundamentally, behind the principle of a right to be forgotten is this idea that you shouldn't judge a child on its childish behavior 20 years later.

Q:As I understand it, a compromise might be forming behind the scenes of the do-not-track discussions at the World Wide Web Consortium. The privacy advocate side of the table will go along with the industry push to count their corporate affiliates as first parties - meaning that even if do-not-track is turned on, if you use Google, you also have a relationship with YouTube and Gmail, and they can all monitor your activity on those sites.

But in exchange for that, they would take a hard stance on so-called third parties. So the data exchanges and ad networks that don't directly interact with a user would have no rights to drop cookies on their browsers. How would you view that kind of a compromise?

Kohnstamm: It very much depends. We have seen contracts, even in Europe, by the way, where it says, "all data given to us, we could give it to carefully selected other parties." Which doesn't say much, except that it's a free-for-all.

The Google example is a good one, because it's not clear that a user of Google would in the end expect information to be given to all other services and products of Google (or even know the services are related).

Nas: The law in Europe does not require us to make a compromise, because it says if you set a cookie on end-user equipment or read information from it, you have to have prior consent. So it doesn't matter at all if this is a first or third party. Technically, legally speaking, this is really an American issue. But, of course, we're listening in carefully.

Q:That's actually another issue I wanted to address. In your view, does European law say that browser companies will have to ship with do-not-track flipped on, or at least flipped to neutral, in a way that forces users to make an active choice?

Kohnstamm: The decisive decision should be with the user, so it should be in neutral. Neutral would then mean there is no explicit consent yet.

One of the changes, actually clarifications in the European privacy proposals, says that consent can't be implied. It's explicit or it's not.

There, I think, is the most clear example of where we differ from the United States, coming from the fundamental right perspective.

Q: The French privacy agency has said Google's recent change to its privacy policies, which linked user data across products, might run afoul of European law. You were quoted saying they might be subject to penalties. What about the change might be illegal?

Kohnstamm: That's a question I'm not going to answer. I have asked the French in the name of the Working Party to do the investigation of the change of policy. As long as the outcome of the investigation is not decided, I'm not going to say maybe they aren't compliant, etc. etc.

But the questions are: What are the changes, are these changes essential and, if so, can a company change their general contractual policies without asking for the explicit consent of users?

These are reasonable questions and the French are now in the midst of finalizing, I understand, their report.